There were widespread security concerns yesterday after the discovery of an old flaw that could affect web servers and Internet-connected devices – but many in the industry are claiming it presents no immediate threat to bitcoin services.
The vulnerability, dubbed either the 'Bash Bug' or the 'Shellshock Bug', would allow a malicious access to a UNIX-based device's operating system via the command line shell – the most widely used of which is bash.
UNIX-based systems include MacOS, Linux versions (desktop and server), popular mobile platforms and embedded systems on other devices that communicate online.
, bitcoin core developer and now senior software engineer at BitPay, however, said there is no clear and present danger to bitcoin users.
Garzik told CoinDesk that, while the newly-discovered bug had the potential to be bad, "most online services using bitcoin are far more secure than your average home router".
He added that the Bash Bug would impact mostly non-bitcoin sites, and was being over-hyped.
Bitcoin a target?
At this stage, there are no reports of any exploit of the Bash Bug affecting any bitcoin-related services. So why care at all?
Bitcoin services may potentially be a more attractive target for hackers and thieves than more established, fiat-based services like online banking and PayPal.
There are two historic reasons for this: poor security implementation at some early-stage online bitcoin services, and the reluctance of authorities to investigate or punish digital currency crimes, unless they suspect drugs or money laundering are involved.
Therefore it is best to at least be aware of potential problems developers and services may face.
One exchange's view
Yan Chuan or 'YC', CTO of exchange BitBays.com, said the bug was "relatively easy for hackers to use", and recommended all users patch, back up logs, and check systems to see if any attack had occurred.
Because the bug allowed malicious hackers full access to an operating system there was potential for any kind of attack, from stealing bitcoin wallets to installing keyloggers and backdoors.
YC said bitcoin itself would not be affected due to its decentralized structure.
Since Windows is not UNIX-based, its desktop users would not be affected themselves. BitBays' platform is prepared, YC continued, but concerned users of other platform might like to ask their exchange or wallet service about the situation if unsure.
The Bash Bug vulnerability stems from a serious security flaw that exists in the bash (Bourne Again SHell) command 'env'. It affects the local shell, as well as SSH, FTP, HTTP, and other important services.
YC explained how the bug could be exploited, saying that many web servers send the user’s HTTP request information (REMOTE_HOST), REQUEST_METHOD, QUERY-STRING, etc) stored in an environment variable, to the backend Web framework or CGI scripts.
If this information includes malicious instructions, the next time the server executes bash it will execute the malicious instructions. Thus, the server is compromised.
At present, the popular Apache + PHP and Nginx + wsgi frameworks are vulnerable.
No quick fix
According to Red Hat, which issued its own security advisory, many programs access the bash shell in the background. Several Linux distributions have already made patches available, including Red Hat Enterprise Linux, Debian, Ubuntu and CentOS.
The bug, which has actually existed for more than 25 years before the release of today's news, could affect millions of devices and leave much older ones in need of patching. It is the sheer number of devices in need of patching, rather than the flaw's complexity or known exploits, that has some experts concerned.
The leader in news and information on cryptocurrency, digital assets and the future of money, CoinDesk is a media outlet that strives for the highest journalistic standards and abides by a strict set of editorial policies. CoinDesk is an independent operating subsidiary of Digital Currency Group, which invests in cryptocurrencies and blockchain startups. As part of their compensation, certain CoinDesk employees, including editorial employees, may receive exposure to DCG equity in the form of stock appreciation rights, which vest over a multi-year period. CoinDesk journalists are not allowed to purchase stock outright in DCG.